b'         Audit of the\nTrusted Internet Connections\n     Initiative at NARA\n\nOIG Audit Report No. 11-17\n\n\n    September 30, 2011\n\x0cTable of Contents\n\n\nExecutive Summary ........................................................................................ 3\n\nBackground ..................................................................................................... 4\n\nObjectives, Scope, Methodology .................................................................... 5\n\nAudit Results................................................................................................... 6\n\nAttachment 1 ................................................................................................. 16\n\nAppendix A \xe2\x80\x93 Acronyms and Abbreviations ............................................... 17\n\nAppendix B - Management\xe2\x80\x99s Response to the Report ................................. 18\n\nAppendix C - Report Distribution List ......................................................... 19\n\x0c                                                            OIG Audit Report No. 11-17\n\n\nExecutive Summary\n\nThe National Archives and Records Administration (NARA) Office of Inspector General\n(OIG) completed an audit of the Trusted Internet Connections (TIC) Initiative at NARA.\nIn 2007, the Office of Management and Budget (OMB) announced the TIC initiative to\noptimize individual network services into a common solution for the Federal government.\nThis initiative aimed to reduce external connections and improve the Federal\ngovernment\xe2\x80\x99s incident response capability. The purpose of this audit was to assess\nNARA\xe2\x80\x99s efforts to meet this initiative and determine whether NARA had adequately\nprepared and planned to meet the goals of the TIC initiative.\n\nOur review found NARA had not adequately planned and prepared to meet the goals of\nOMB\xe2\x80\x99s TIC initiative. More than three years after OMB\xe2\x80\x99s announcement of this\ninitiative, NARA had not fully completed actions to comply with requirements set by\nOMB, the U.S. General Services Administration (GSA), and the Department of\nHomeland Security (DHS). For example, a comprehensive Plan of Action and\nMilestones (POA&M) had not been developed to reduce and consolidate NARA\xe2\x80\x99s\nexternal connections and implement crucial TIC capabilities. Further, NARA had not\ndeveloped contract requirements to determine the appropriate Contract Line Item\nNumbers (CLINs) needed to implement TIC services. Instead, the contractor providing\nthose services was tasked with identifying the appropriate CLINs. Finally, a process had\nnot been developed to monitor the contractor\xe2\x80\x99s performance of these services.\n\nDespite reporting in 2008 that NARA was well into its migration to decrease from seven\nexternal connections to two TIC- approved connections, NARA had only eliminated one\nof their external connections by 2010 and had not yet eliminated the other four external\nconnections to meet its goal. Further, as of May 2011, NARA had not fully implemented\nthe two TIC-approved connections. Therefore, it appeared NARA had not managed this\nproject as a priority and had not identified any constraints or technical gaps to prevent\nimplementation of the TIC initiative. In addition, formal detailed planning documents\nwere not prepared and executed to meet the goals of the initiative or address any\nconstraints or technical gaps preventing implementation. While a lack of transition\npriority was evident across the Government, progress has recently been reported at\nNARA and other organizations.\n\nAs a result, NARA had not fully implemented TIC as required by OMB and missed out\non potential benefits offered by reducing its external connections and utilizing TIC-\napproved connections. For example, other agencies have experienced benefits such as\nimproved network security and management. By reducing the number of access points,\nan agency can improve its ability to monitor traffic and protect network attacks.\n\nTo meet the requirements of the TIC initiative, we made six recommendations. These\nrecommendations will aid in implementing TIC at NARA and meeting OMB, GSA, and\nDHS requirements.\n                                        Page 3\n                     National Archives and Records Administration\n\x0c                                                               OIG Audit Report No. 11-17\n\n\nBackground\n\nIn November 2007, the Office of Management and Budget (OMB) issued a memorandum\nannouncing the Trusted Internet Connections (TIC) initiative. The goal of this initiative\nwas to optimize individual network services into a common solution for the Federal\ngovernment. To meet these goals, each agency was required to develop a comprehensive\nplan of action and milestones (POA&M) and devote employees to work on the\ndevelopment and implementation of TIC. Subsequent guidelines required agencies to\ninventory and document all their gateway connections; assess their architecture, policy,\nand implementation results; and define their target inventory and architecture. In this\nprocess, TIC compelled agencies to gain an in-depth understanding of the breadth of their\ntotal Internet presence.\n\nAnother goal of this initiative included enhancing the Federal government\xe2\x80\x99s incident\nresponse capabilities through reduction of external connections and called for agencies to\nconsolidate their existing external Internet connections. This would allow agencies to\noptimize and standardize the security of their external network connections. Although\nthe initiative was intended to secure Internet connections, other external connections to\npotentially unsecured systems were also required to be routed through an approved TIC\naccess point, even if they did not pass through the Internet. Ultimately, the initiative will\nimprove the Federal government\xe2\x80\x99s security posture and incident response capability\nthrough the reduction and consolidation of external connections, and provide enhanced\nmonitoring and situational awareness of external network connections.\n\nIn 2009, this initiative was re-emphasized as part of the Comprehensive National\nCybersecurity Initiative (CNCI). The CNCI consisted of mutually reinforcing initiatives\nwith goals designed to help secure the United States in cyberspace. The first initiative\nunder the CNCI was to manage the Federal Enterprise Network as a single network\nenterprise with Trusted Internet Connections. According to the CNCI, this consolidation\nof the Federal Government\xe2\x80\x99s external access points would result in a common security\nsolution. Again, this solution would facilitate the reduction of external access points,\nestablishment of baseline security capabilities, and validation of agency adherence to\nthose security capabilities. All federal agencies in the executive branch, except for the\nDepartment of Defense, were required to implement this initiative.\n\nAgencies participated in the TIC initiative either as TIC Access Providers (TICAP) or by\ncontracting with commercial Managed Trusted Internet Protocol Service (MTIPS)\nproviders through the GSA-managed NETWORX contract vehicle. As a TICAP, an\nagency is responsible for providing external connections through a centralized gateway to\nonly internal customers or to their internal and other external customers. Given NARA\xe2\x80\x99s\nsize, NARA\xe2\x80\x99s Office of Information Services (NH) officials chose not to become an\nAccess Provider and decided to seek these services through GSA\xe2\x80\x99s NETWORX contract.\n\n\n\n                                         Page 4\n                      National Archives and Records Administration\n\x0c                                                                          OIG Audit Report No. 11-17\n\n\nObjectives, Scope, Methodology\n\nThe purpose of this audit was to determine whether NARA had prepared to the meet the\ngoals of the Trusted Internet Connections (TIC) initiative. Specifically, we sought to\ndetermine NARA\xe2\x80\x99s efforts to implement TIC; identify any constraints or gaps in\nimplementation; and evaluate NARA\xe2\x80\x99s readiness for compliance.\n\nTo satisfy the audit objective, we reviewed various OMB memoranda 1 and guidance\nrelated to TIC and NETWORX contracts issued by OMB, the U.S. General Service\nAdministration (GSA), and the Department of Homeland Security (DHS). We also\nreviewed NARA\xe2\x80\x99s internal guidance, including the NARA Enterprise Architecture\nTechnical Infrastructure Design and Information Technology (IT) Infrastructure Segment\nProgram Plan. During the audit, we met with personnel involved in the project, including\nthe Project Manager and NARA\xe2\x80\x99s Chief Technology Officer (CTO) 2. We reviewed\nNARA\xe2\x80\x99s plans for meeting the TIC initiative and asked about any constraints or gaps\npreventing implementation. We also reviewed Capital Planning and Investment Process\n(CPIC) planning and scheduling documents related to this project. Finally, we reviewed\nNARA\xe2\x80\x99s contract files for their contract with an approved NETWORX services provider.\n\nOur audit work was performed at Archives II in College Park, MD between January 2010\nand June 2011. Due to other auditing priorities, our work was placed on hold from\nMarch 2010 until November 2010. We conducted this performance audit in accordance\nwith generally accepted government auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\n1\n    OMB memoranda related to the TIC initiative include the following:\n\n      \xe2\x80\xa2    OMB M-08-05, Implementation of Trusted Internet Connections (TIC), November 20, 2007\n      \xe2\x80\xa2    OMB M-08-16, Guidance for Trusted Internet Connection Statement of Capability Form (SOC),\n           April 4, 2008\n      \xe2\x80\xa2    OMB M-08-26, Transition from FTS2001 to NETWORX, August 28, 2008\n      \xe2\x80\xa2    OMB M-08-27, Guidance for Trusted Internet Connection (TIC) Compliance, September 30, 2008\n      \xe2\x80\xa2    OMB M-09-32, Update on the Trusted Internet Connections Initiative, September 17, 2009\n\n2\n  During the timeframe of this audit, NARA underwent a Transformation effort. Office names and symbols\nhave subsequently changed to reflect the reorganization. However, the previous office names and systems\nare used in the body of this report to reflect the historical names of the offices involved throughout the TIC\ninitiative.\n\n                                              Page 5\n                           National Archives and Records Administration\n\x0c                                                                        OIG Audit Report No. 11-17\n\n\nAudit Results\n\n\n1. NARA Had Not Fully Implemented TIC Initiative\n\nAt the time of our audit, NARA had not fully implemented and met the goals of OMB\xe2\x80\x99s\nTIC initiative. Specifically, NARA had not met their goal to consolidate their seven\nexternal connections to the target of two and had not completed the Managed Trusted\nInternet Protocol Services (MTIPS) implementation, as required by OMB. This was\ncaused by NARA not adequately planning and prioritizing to meet these goals,\nidentifying constraints or gaps in implementation, and developing plans to address any\nconstraints in implementing the initiative. As a result, NARA missed out on the potential\nbenefits of the initiative, such as improved network security and management.\n\nThe November 2007 OMB memorandum M-08-05 required agencies to reduce and\nconsolidate the number of external access points, including Internet connections, and\nensure all external connections were routed through an OMB-approved TIC. Further, in\nAugust 2008, OMB required agencies to acquire telecommunications connectivity\nthrough the GSA NETWORX contract. Agencies were encouraged to purchase MTIPS\nContract Line Item Numbers (CLINs) through this GSA contract. MTIPS 3 enabled\nagencies to connect to the public Internet or other external connections in full compliance\nwith the OMB TIC initiative.\n\nPrior to the TIC initiative, NARA had seven external connections. In April 2008, NARA\ndetermined their target number of external connections was two and the original\nprojected completion date to eliminate five external connections was September 2009.\nHowever, as of March 2011, only one of the external connections had been eliminated.\nFurther, NARA was still in the process of implementing the MTIPS at their sites. As of\nFebruary 2011, the targeted completion date for the migration to MTIPS was May 2011 4.\nThus, NARA had not yet consolidated their external connections to the target of two and\nnone of the other connections went through a TIC-approved connection.\n\nNARA had not met these goals because despite their deadline to eliminate five external\nconnections by September 2009, NARA had not managed the project as a priority or\nidentified any constraints or technical gaps to prevent implementation. In August 2009,\nNARA revised its goals to eliminate one external connection by September 30, 2010 and\n\n3\n  MTIPS is a fully managed solution comprised of public Internet connectivity, the TIC portal, the network\ninfrastructure to transport Internet Protocol traffic between the agency\xe2\x80\x99s enterprise wide area network\n(WAN), and the TIC portal which included management of a premise-based firewall and a security\noperation center.\n4\n  This date was pushed back to June 2011. Starting June 15, 2011, NARA began replacing the current\ninternet service with the OMB-mandated TIC services.\n                                            Page 6\n                         National Archives and Records Administration\n\x0c                                                                        OIG Audit Report No. 11-17\n\n\nanother by March 31, 2011. The deadlines to eliminate the remaining connections were\nlisted as \xe2\x80\x9cto be determined\xe2\x80\x9d.\n\nIn our initial meeting in January 2010, we were informed that the necessary plans and\nOMB requested information had been prepared and submitted to OMB; however, these\nplans had not been executed. When asked why these plans had not been executed, the\nCTO stated that with the change of administration, they were unsure if this initiative\nwould continue. However, the TIC initiative was re-emphasized as part of the\nComprehensive National Cybersecurity Initiative (CNCI). Since work did not begin until\nNovember 2010, despite the original projected completion date of September 2009, it\nappeared that NARA had not managed this project as a priority.\n\nFurther, NARA had not identified any technical gaps or other restraints, such as limited\nfunding, to meet these goals. In their original assessment in April 2008, NARA had not\nidentified any gaps in their current agency-wide policy, governance, or enforcement\nmechanisms to prevent a successful implementation of TIC. Then again in October 2008,\nin their report to OMB, NARA stated that nothing prevented them from a successful\nimplementation of TIC. Additionally, the fiscal year 2010 Exhibit 300 5 for NARA\xe2\x80\x99s IT\nInfrastructure stated that NARA was well into its migration to reduce down to two TICs.\nIn these planning and budget documents, no capability or funding limitations were\nidentified as a factor preventing NARA from meeting the TIC goals. Yet, the initiative\nwas delayed and it appeared that NARA had not actively pursued the goals of reducing\ntheir external connections. Without identifying constraints or technical gaps, plans could\nnot be developed to address such constraints or gaps.\n\nSubsequent to our fieldwork, we were provided with documentation showing the delay in\nQwest\xe2\x80\x99s obtaining their authorizations from GSA. Specifically, Qwest did not receive the\ncertification and accreditation of their MTIPS Security Operations Center and MTIPS\nSystem until June and September 2010, respectively. Therefore, some of NARA\xe2\x80\x99s delay\nin implementing the TIC was attributed to Qwest not obtaining their authority to operate\nuntil September 2010.\n\nBy not consolidating to the targeted network connections and implementing TIC, NARA\ncould not capitalize on the potential benefits of the initiative. Reported benefits of the\nTIC initiative include improvements in network security and network management. By\nreducing the number of access points needing to be monitored, agencies can improve\ntheir network security. Consolidating connections and centralizing security monitoring\nmake it easier to monitor traffic and protect networks from attacks. In addition, the\nconsolidation of external connections can make an agency\xe2\x80\x99s network perimeter more\nsecure. Other agencies have reported that implementing TIC was beneficial because it\nforced them to gain a greater awareness of their overall network environment, potentially\nreducing the complexity of the network making it simpler to manage.\n\n\n\n5\n    Exhibit 300s are the reporting mechanisms used for the annual budget submission to OMB.\n                                              Page 7\n                           National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 11-17\n\n\nRecommendation 1\n\nThe Chief Information Officer should ensure the TIC initiative is completed in\naccordance with OMB, GSA, and DHS requirements. Any exceptions to these\nrequirements should be documented and approved by the Chief Information Officer.\n\nManagement Response\n\nManagement comments were not received prior to issuance of the final report.\n\n\nRecommendation 2\n\nThe Chief Information Officer should ensure that any limitations related to the TIC\ninitiative are identified and tracked until implementation is complete.\n\nManagement Response\n\nManagement comments were not received prior to issuance of the final report.\n\n\n\n\n                                        Page 8\n                     National Archives and Records Administration\n\x0c                                                                         OIG Audit Report No. 11-17\n\n\n2. NARA Had Not Sufficiently Prepared Planning Documents\n   to Meet TIC Initiative\n\nNARA had not adequately prepared and planned to meet the goals of the TIC initiative.\nOMB memoranda required agencies to develop a comprehensive plan of action and\nmilestones (POA&M). NARA developed a POA&M to meet this requirement; however,\nthe POA&M was incomplete and had not been reviewed or updated regularly. Further,\nadditional planning documentation was not prepared as planned. As a result, NARA\xe2\x80\x99s\nimplementation of TIC was delayed and implementation did not begin until November\n2010, despite the original completion date of September 2009.\n\nWhen the TIC initiative was first announced in 2007, OMB required each agency to\ndevelop a comprehensive plan of action and milestones (POA&M). Agencies were\nrequired to develop and submit comprehensive POA&Ms to reduce and consolidate their\nnumber of external access points, including Internet connections, and ensure that all\nexternal connections were routed through an OMB-approved TIC. Planning guidance\nissued by OMB stated that POA&Ms must show specific milestones and activities for\neach element of the "As Is" Inventory, showing its transition from the current to the "To\nBe" target, as well as material underlying dependencies. In September 2009, OMB\nprovided an update to the TIC Initiative and required all agencies to update and report\ntheir formal POA&M by September 25, 2009. Further, agencies were required to submit\na POA&M to DHS by September 25, 2009 and provide updated status to DHS every 6\nmonths thereafter, until complete.\n\nWe found that NARA had not adequately prepared and planned to meet the goals of the\nTIC initiative. Specifically, NARA developed a POA&M to submit to OMB; however,\nthe POA&M was incomplete and had not been reviewed or updated regularly. For\nexample, in their August 2009 POA&M, NARA had not identified completion dates to\nreduce their connections to the target of two. Instead, deadlines were listed as \xe2\x80\x9cto be\ndetermined\xe2\x80\x9d 6. NARA complied with OMB guidance and submitted revised POA&Ms in\nApril 2008; August 2009; and September 2009; however, no other updates were\ncompleted for the TIC POA&M. Further, the required subsequent updates were not\nprovided to DHS as required by OMB memorandum M-09-06 7.\n\nAlso, additional planning documentation was not prepared as planned. Prior to the\ndevelopment of the Project Schedule in late 2010, no other detailed plans had been\ndeveloped for this initiative. The 2009 IT Infrastructure Segment Program Plan stated\nTIC Migration Planning would be completed in second quarter of fiscal year 2010\n(January through March 2010). However, the Project Schedule was not started until\nNovember 2010 and was not finalized until January 2011.\n\n\n\n6\n    See Attachment 1 for an excerpt from the POA&M last updated for the TIC initiative.\n7\n    OMB M-09-32, Update on the Trusted Internet Connections Initiative, September 17, 2009\n                                              Page 9\n                           National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 11-17\n\n\nIn February 2011, we were informed that the POA&M for this project was no longer\nbeing maintained. Instead, only the Project Schedule was being maintained. This\nschedule aids in completing tasks related to the TIC implementation; however, it did not\nalign with the requirements and deadlines outlined by OMB. Further, no other updates\nhad been made to NARA\xe2\x80\x99s POA&M or submitted to DHS as required 8.\n\nAs a result, NARA\xe2\x80\x99s implementation of TIC has been delayed and project\nimplementation did not begin until November 2010. Further, these delays had not been\ncommunicated to OMB and DHS, as required. NARA had not fully implemented TIC\nand was not in compliance with OMB\xe2\x80\x99s intentions. To be in compliance, agencies were\nrequired to continue their reduction and consolidation effort. The end-state of the TIC\ninitiative is for each agency to meet the following targets: 100% compliance with the TIC\ncritical technical capabilities and 100% of external connections routed through an\napproved TICAP. Despite the delayed implementation and limited POA&M documents,\nNH officials believed they were in compliance with OMB and DHS requirements.\n\nRecommendation 3\n\nThe Chief Information Officer should ensure a comprehensive POA&M is completed for\nthe TIC initiative and a periodic review and update of the POA&M is completed until full\nimplementation. Once complete, the Chief Information Officer should ensure a POA&M\nis reported to DHS as required.\n\nManagement Response\n\nManagement comments were not received prior to issuance of the final report.\n\n\n\n\n8\n  Subsequent to our fieldwork, we were provided with an updated POA&M submitted to DHS later in\nFebruary 2011. However, this POA&M did not provide an explanation or estimated completion date for\nthe reduction and consolidation of all TIC access points. Further, formal deadlines still had not been\nestablished or tracked to disconnect all external non-TIC connections.\n                                            Page 10\n                         National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 11-17\n\n\n3. NARA Had Not Developed Contract Requirements for\n   MTIPS Contract\nIn contracting for the MTIPS, NARA did not develop contract requirements or determine\nthe appropriate CLINs needed for their environment. GSA provided guidance to\nagencies on how to determine the appropriate CLINs for their agency. Instead of\nfollowing this process, NARA relied on their MTIPS contractor to select the appropriate\nCLINs, which consisted of over $118,000 of set-up or non-recurring costs and almost\n$720,000 (about $60,000 per month) of yearly recurring costs. With over 4,500 CLINs\navailable, NARA lacks assurance it purchased the services needed for its environment.\n\nAgencies seeking services from a TIC provider were encouraged to purchase the\nManaged Trusted Internet Protocol Services (MTIPS) CLINs through the NETWORX\ncontract as part of their plan to reduce and consolidate their agency\xe2\x80\x99s external\nconnections. GSA\xe2\x80\x99s guidance stated that agencies should determine their requirements\nfor NETWORX ordering by conducting a complete analysis of current inventory of\ntelecom services as well as projecting future operational needs. This analysis determines\nhow NETWORX service offerings can best meet an agency\xe2\x80\x99s needs. Then agencies\nshould select a vendor through the Fair Opportunity process to meet those requirements.\n\nAdditional steps for requirements development were detailed in the NETWORX Fair\nOpportunity and Statement of Work (SOW) Guide. This guide explains that NETWORX\ntelecommunications service requirements and ordering are directly linked to the\nNETWORX CLINs. This CLIN structure serves as a determinant of how an order will be\nplaced under the NETWORX contract. The NETWORX contract allows agencies to\ndevelop their list of requirements from the universe of over 4,500 CLINs that were\ncompeted and competitively priced by vendors to facilitate ordering directly off the\nNETWORX contracts.\n\nThe first step in this process is to determine requirements using the agency\xe2\x80\x99s\ntelecommunications services inventory and other requirement to define their service\nrequirements and group them into a Statement of Requirements (SOR) package. Then\nthe agency should conduct a gap analysis to determine what requirements identified in\ntheir SOR can be met using the established CLINs in the NETWORX contract. A SOW\nis only required if requirements cannot be met using the fixed-price CLINs. When\npossible, agencies were encouraged to select from pre-determined and priced CLINs as\nthe mechanism to procure TIC services from GSA. If the services can be accommodated\nsolely by the fixed priced CLINs, then the agency should proceed with the Fair\nOpportunity decision process to select the contractor best suited to provide the required\nservices under NETWORX. The agency should then document the basis for their\ndecision or any exceptions to the Fair Opportunity process. Once completed, the agency\nmay proceed to select qualified contractor and begin placing orders with the selected\ncontractor.\n\n\n\n                                        Page 11\n                     National Archives and Records Administration\n\x0c                                                                     OIG Audit Report No. 11-17\n\n\nHowever, we found that NARA had not determined the specific services or CLINs\nneeded to be included in the contract for the NARANet environment. Instead, NARA\nrelied on their NETWORX contractor, Qwest, to determine the appropriate CLINs for\nNARA\xe2\x80\x99s environment. Initially, NARA prepared a Statement of Requirements\ndocument, which included information relating to the current architecture, the \xe2\x80\x9cto-be\xe2\x80\x9d\narchitecture, and their telecommunications requirements. However, the SOR was\nabandoned when NARA filed for an Exception to the Fair Opportunity Process. The\nbasis for this exception was by issuing the MTIPS order to Qwest; NARA could avoid\npaying an estimated $180,000 in non-recurring costs and up to three years of duplicate\nrecurring costs. According to the document filed with GSA, these costs would be\nincurred to allow for rework of another vendor. Therefore, this contract was issued on\nsole-source basis in the interest of economy and efficiency because it was a logical\nfollow-on to a task order already issued on a competitive basis.\n\nAfter filing the Exception to the Fair Opportunity Process, NARA selected Qwest as their\npreferred provider for the NETWORX MTIPS. Then in November 2010, a meeting was\nheld with Qwest and the contractor was tasked with providing a quote and a proposed\nlisting of CLINs for NARA 9. In response, Qwest provided their price quote comprised of\nthe CLINs selected by Qwest\xe2\x80\x99s MTIPS Design Engineer. The CLINs selected by Qwest\ntotaled about $118,000 in non-recurring costs and almost $60,000 of monthly recurring\ncosts.\n\nWhen asked why NARA had not pre-determined the CLINs for their environment, the\nCTO stated that many of the CLINs appeared to be similar services and NARA lacked\nthe expertise to distinguish the different services and pick the appropriate ones for\nNARA\xe2\x80\x99s environment. The CTO explained that Qwest was more familiar with their\nservice offerings and the CLINs associated with these services. Therefore, they asked\nQwest to determine the appropriate CLINs for NARA.\n\nSince the contract was not selected on a competitive basis and NARA tasked the\ncontractor with determining the appropriate CLINs, NARA lacks assurance it has\npurchased the appropriate services needed for its environment. Further, NARA lacks\nassurances that the most cost effective options were selected since NARA allowed the\ncontractor to select the CLINs to be provided.\n\nRecommendation 4\n\nThe Chief Information Officer should ensure metrics are identified to monitor the\nservices provided by the MTIPS contractor as they are put in place to ensure they meet\nthe needs of NARA\xe2\x80\x99s IT environment.\n\n9\n Subsequent to our fieldwork, additional requirements documents, such as draft Statements of Work\n(SOW) were provided. However, as suggested by GSA, these SOWs were cancelled prior to awarding the\ncontract to Qwest due to NARA\xe2\x80\x99s Exception to the Fair Opportunity Process. Documentation was not\nprovided to demonstrate the requirements given to Qwest to develop their price proposal of NARA CLINs.\nInstead, we were informed that NARA worked with Qwest through a series of technical meetings to\ndetermine the MTIPS requirements. Further, no documentation could be provided for these meetings.\n                                           Page 12\n                        National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 11-17\n\n\n\nManagement Response\n\nManagement comments were not received prior to issuance of the final report.\n\n\nRecommendation 5\n\nThe Chief Information Officer should ensure the selected services provided by the\nMTIPS contractor are assessed once they are in place to ensure they meet the needs of\nNARA\xe2\x80\x99s IT environment.\n\nManagement Response\n\nManagement comments were not received prior to issuance of the final report.\n\n\n\n\n                                        Page 13\n                     National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 11-17\n\n\n4. NARA had not Developed Process to Monitor NETWORX\n   Contract\nNARA had not developed a formal process or assigned responsibilities to monitor the\nperformance of the NETWORX contract. GSA developed guidance to help agencies\nmanage and monitor the services ordered under the GSA NETWORX contract for IT\nservices. However, NARA had not yet completed this task. By not having a process in\nplace to manage and monitor this contract, NARA cannot ensure the appropriate levels of\nservices are provided by Qwest, their NETWORX contractor. Further, credits can be\nreceived if service levels are not meet; however, these credits are not awarded\nautomatically. Instead, NARA must submit requests for credits through the contractor\nand GSA.\n\nTo help agencies manage and monitor services ordered under the NETWORX contract,\nGSA developed the NETWORX Service Level Agreement (SLA) Management Guide.\nThis guide provided information on managing the SLAs and outlined the roles and\nresponsibilities of the contractor, the agency, and GSA that apply to telecommunications\nservices obtained from NETWORX contractors. SLAs are established agreements\nbetween the government and the NETWORX contractors to provide services\nat performance levels that meet or exceed performance levels specified in the\nNETWORX contract. If specified service levels are not met, the contractor is required to\nissue specified credits, when requested to do so by the ordering agency. However, it is\nstrictly up to the agency to decide how to perform its role in managing NETWORX\nSLAs.\n\nAs part of their contract, each NETWORX contractor is required to submit to the agency\nan "Agency-Specific SLA Monthly Compliance Report". Agencies should review this\nreport and identify any SLAs for which there is a discrepancy. In the event that actual\nperformance is less than required by the SLA, the agency is entitled to a credit.\nHowever, NETWORX SLA credits are not awarded automatically. Instead, the agency\nmust request a credit and the agency has up to six months to request SLA credits. In this\nprocess, the agency is responsible for verifying the contractor\'s compliance assessments;\nresolving each SLA issue that affects the agency; and escalating any unresolved SLA\nissues to GSA.\n\nWe found that NARA had not yet developed a process to manage and monitor the SLAs\nassociated with their NETWORX contract. Further, NARA had not yet assigned these\nroles and responsibilities within the agency to monitor the performance of Qwest, their\nNETWORX provider. During the contract planning, NARA should have developed a\nprocess and assigned responsibilities to verify the contractor\xe2\x80\x99s compliance assessments\nand resolve each SLA issue that affects NARA. Also, a process should have been\nestablished to escalate any unresolved SLA issues to GSA. After our audit exit\nconference, we were provided with an email stating that an NH official believed that the\nProject Manager had been assigned the responsibility for monitoring the SLAs and\napplying for credits due to NARA.\n\n                                        Page 14\n                     National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 11-17\n\n\n\nDuring the audit, NH officials stated that a process had not yet been developed because\nthe NETWORX contract had not been fully implemented. When asked if anyone had\nbeen appointed or assigned to monitor the SLAs, the CTO stated that no one had been\nappointed yet to monitor the SLAs. Instead, the NH official stated that someone will be\nappointed during the maintenance and operations phase of the project. While it is strictly\nup to the agency to decide how to perform its role in managing NETWORX SLAs, GSA\nrecommends the review of the agency-specific SLA monthly compliance report and any\nresulting requests for SLA credits to be performed on a monthly basis.\n\nBy not establishing a formal process or assigning roles and responsibilities, NARA\ncannot ensure adequate management and monitoring of their NETWORX contractor\xe2\x80\x99s\nperformance. Without adequate monitoring, NARA has no assurance they are receiving\nthe services as intended. Further, if the SLAs are not met, NARA risks not receiving\nSLA credits, since it is NARA\xe2\x80\x99s responsibility, not GSA or Qwest, to request these\ncredits.\n\nRecommendation 6\n\nThe Chief Information Officer should ensure that GSA\xe2\x80\x99s guidance for managing\nNETWORX SLAs is implemented. Specifically,\n\n   \xe2\x80\xa2   A process should be developed to verify the contractor\xe2\x80\x99s compliance assessments\n       and resolve each SLA issue that affects NARA.\n   \xe2\x80\xa2   A process should be established to escalate any unresolved SLA issues to GSA.\n   \xe2\x80\xa2   Roles and responsibilities within each of these processes are appropriately\n       assigned.\n\nManagement Response\n\nManagement comments were not received prior to issuance of the final report.\n\n\n\n\n                                        Page 15\n                     National Archives and Records Administration\n\x0c                                                               OIG Audit Report No. 11-17\n\n\nAttachment 1 - POA&M\n\n\nExcerpt from POA&M submitted to OMB in September 2009:\n\nSection 5. Continuing reduction and consolidation of external\nconnections to identified TIC access points\n\n                     Table 2: Reduction and Consolidation Progress\n   Please enter your agency\'s number of external connections and the date you intend to\n   reach reduction milestones. The definition of external connection can be found in\n   Appendix B of the TIC Reference Architecture\n          Reduction &           Calculated Reduction         Date of Agency\xe2\x80\x99s Intended\n         Consolidation           (# of connections)                  Completion\n                                                                     (mm/dd/yy)\n\n                0%                            7                         1/1/2008\n                20%                           6                         09/30/10\n                40%                           5                         03/31/11\n                60%                           4                           TBD\n                80%                           3                           TBD\n               100%                           2                           TBD\n   # of connections is interpreted as the number of external connection access points. For\n   this table, multiple external connections at the same access point are counted as one\n   external connection\n   The 0% row should be the starting number of connection access points on January 2008\n   The 100% row should be the ending number of connection access points, expected to\n   be one (1) to eight (8) MTIPS access point connections\n\n\n\n\n                                        Page 16\n                     National Archives and Records Administration\n\x0c                                                   OIG Audit Report No. 11-17\n\n\nAppendix A \xe2\x80\x93 Acronyms and Abbreviations\n\n\nCLIN    Contract Line Item Number\nCNCI    Comprehensive National Cybersecurity Initiative\nCIO     Chief Information Officer\nCTO     Chief Technology Officer\nDHS     Department of Homeland Security\nGSA     U.S. General Service Administration\nIT      Information Technology\nMTIPS   Managed Trusted Internet Protocol Services\nNARA    National Archives and Records Administration\nNH      NARA\xe2\x80\x99s Office of Information Services\nOIG     Office of Inspector General\nOMB     Office of Management and Budget\nPOA&M   Plan of Actions and Milestones\nSLA     Service Level Agreement\nSOR     Statement of Requirements\nSOW     Statement of Work\nTIC     Trusted Internet Connections\n\n\n\n\n                                 Page 17\n              National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 11-17\n\n\nAppendix B - Management\xe2\x80\x99s Response to the Report\n\nOn July 27, 2011 management was provided with a copy of the draft report for their\nreview and comment. As usual, we provided management 30 calendar days for their\nwritten comments. At the time of report issuance more than 30 days past the original due\ndate, management was still in the process of discussing comments and had not provided\ntheir final comments. Therefore, management comments were not provided at issuance\nof this report.\n\n\n\n\n                                        Page 18\n                     National Archives and Records Administration\n\x0c                                                           OIG Audit Report No. 11-17\n\n\nAppendix C - Report Distribution List\n\nDavid S. Ferriero, Archivist of the United States, N\nDebra Wall, Deputy Archivist, ND\nThomas Mills, Chief Operating Officer, C\nMichael Wash, Chief Information Officer, Information Services, I\nHaseen Uddin, Chief Technology Officer, CTO\nMary Drak, Strategy Division, Policy, CP\n\n\n\n\n                                       Page 19\n                    National Archives and Records Administration\n\x0c'